Eset Reveals New Worm Targeting AutoCAD Drawings

"This infection takes a shotgun approach, stealing basically everything it can find," said Pierre-Marc Bureau, Security Intelligence Program Manager at Eset. “This makes it much more difficult to know exactly what the controllers are targeting, but anyone doing business with a national government likely has access to high-value information.”

Known as ACAD/Medre.A, the worm emails opened AutoCAD drawings to one of more than 40 email accounts at two Chinese ISPs: 163.com and qq.com.

[Related: Eset Rebrands and Updates Security Offerings ]

The malware is downloaded as a hidden file named acad.fas, usually accompanying an AutoCAD .dwg file. Once the drawing is open, the worm tries to copy itself to several locations and issues commands designed to ensure that it will be executed whenever an AutoCAD drawing of any kind is opened on the infected system.

Bureau added that the Chinese ISPs in question acted quickly to begin blocking messages to the email addresses that served as the drop-off point. However, AutoCAD users are still being urged to run searches for tell-tale signs of ACAD/Medre.A.

Eset, which has been investigating the worm since it was first discovered in February, has created a free removal tool, though Eset customers can remove the malware through the company’s online scanner. In addition to detection via scanner, the presence of files named "acad.fas" and "cad.fas" in the same directory as the .dwg drawings is viewed as an indicator of the infection -- particularly if the files are marked as "hidden."

The investigation was accelerated over the last two months when the company noticed a dramatic uptick in the number of infections.